lemon-core 4.1.14 → 4.2.0

package/dist/cores/lambda/lambda-web-handler.js

@@ -1,18 +1,9 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.MyHttpHeaderToolV2 = exports.MyHttpHeaderTool = exports.LambdaWEBHandler = exports.mxNextFailure = exports.mxNextHandler = exports.promised = exports.redirect = exports.failure = exports.notfound = exports.success = exports.buildResponse = void 0;
+exports.MyHttpHeaderTool = exports.LambdaWEBHandler = exports.mxNextFailure = exports.mxNextHandler = exports.promised = exports.redirect = exports.failure = exports.notfound = exports.success = exports.buildResponse = void 0;
 /**
  * `lambda-web-handler.ts`
  * - lambda handler to process WEB(API) event.
@@ -37,6 +28,7 @@ const test_helper_1 = require("../../common/test-helper");
 const tools_1 = require("../../tools/");
 const protocol_service_1 = require("../protocol/protocol-service");
 const aws_kms_service_1 = require("../aws/aws-kms-service");
+const client_sts_1 = require("@aws-sdk/client-sts");
 const config_1 = __importDefault(require("../config"));
 const protocol_1 = __importDefault(require("../protocol/"));
 const NS = engine_1.$U.NS('HWEB', 'yellow'); // NAMESPACE TO BE PRINTED.
@@ -64,9 +56,9 @@ const $kmsPool = {};
  * @returns http response body
  */
 const buildResponse = (statusCode, body, options) => {
-    const contentType = options === null || options === void 0 ? void 0 : options.contentType;
-    const origin = (options === null || options === void 0 ? void 0 : options.origin) === undefined ? '*' : options === null || options === void 0 ? void 0 : options.origin;
-    const credentials = (options === null || options === void 0 ? void 0 : options.credentials) === undefined ? true : options === null || options === void 0 ? void 0 : options.credentials;
+    const contentType = options?.contentType;
+    const origin = options?.origin === undefined ? '*' : options?.origin;
+    const credentials = options?.credentials === undefined ? true : options?.credentials;
     const isBase64Encoded = contentType && !contentType.startsWith('text/') ? true : false;
     const _isXml = (body) => body.startsWith('<?xml ') && body.trim().endsWith('>');
     const _isHtml = (body) => body.startsWith('<!DOCTYPE html>') || (body.startsWith('<') && body.endsWith('>'));
@@ -121,28 +113,28 @@ exports.redirect = redirect;
  * @param event     event
  * @param $ctx      context
  */
-const promised = (event, $ctx) => __awaiter(void 0, void 0, void 0, function* () {
+const promised = async (event, $ctx) => {
     // TO SERVE BINARY. `$ npm i -S serverless-apigw-binary serverless-apigwy-binary`. refer 'https://read.acloud.guru/serverless-image-optimization-and-delivery-510b6c311fe5'
     if (event && event.httpMethod == 'GET' && event.path == '/favicon.ico') {
         return () => (0, exports.success)(FAVICON_ICO, 'image/x-icon');
     }
     //* transform to protocol-context.
     const param = protocol_1.default.service.asTransformer('web').transformToParam(event, $ctx);
-    (0, engine_1._log)(NS, '! protocol-param =', engine_1.$U.json(Object.assign(Object.assign({}, param), { body: undefined }))); // hide `.body` in log.
+    (0, engine_1._log)(NS, '! protocol-param =', engine_1.$U.json({ ...param, body: undefined })); // hide `.body` in log.
     //* returns object..
     return { event, param, $ctx };
-});
+};
 exports.promised = promised;
 /**
  * builder for default handler
  */
-const mxNextHandler = (thiz) => (params) => __awaiter(void 0, void 0, void 0, function* () {
+const mxNextHandler = (thiz) => async (params) => {
     //* determine if param or func.
     const fx = typeof params == 'function' ? params : null;
     const $param = params && typeof params == 'object' ? params : null;
     const { param, event } = $param || {};
     //* call the main handler()
-    const R = $param ? yield thiz.handleProtocol(param, event) : fx;
+    const R = $param ? await thiz.handleProtocol(param, event) : fx;
     //* - if like to override the full response, then return function.
     if (R && typeof R == 'function')
         return R();
@@ -154,7 +146,7 @@ const mxNextHandler = (thiz) => (params) => __awaiter(void 0, void 0, void 0, fu
     }
     //* returns response..
     return (0, exports.success)(R);
-});
+};
 exports.mxNextHandler = mxNextHandler;
 /**
  * builder for failure promised.
@@ -214,36 +206,15 @@ exports.mxNextFailure = mxNextFailure;
  * - default WEB Handler w/ event-listeners.
  */
 class LambdaWEBHandler extends lambda_handler_1.LambdaSubHandler {
+    //* shared config.
+    static REPORT_ERROR = lambda_handler_1.LambdaHandler.REPORT_ERROR;
+    //* handlers map.
+    _handlers = {};
     /**
      * default constructor w/ registering self.
      */
     constructor(lambda, register) {
         super(lambda, register ? 'web' : undefined);
-        //* handlers map.
-        this._handlers = {};
-        /**
-         * Default WEB Handler.
-         */
-        this.handle = (event, $ctx) => __awaiter(this, void 0, void 0, function* () {
-            //* inspect API parameters.
-            (0, engine_1._log)(NS, `handle()....`);
-            const $path = event.pathParameters || {};
-            const $param = event.queryStringParameters || {};
-            (0, engine_1._log)(NS, '! path =', event.path);
-            (0, engine_1._log)(NS, '! $path =', engine_1.$U.json($path));
-            (0, engine_1._log)(NS, '! $param =', engine_1.$U.json($param));
-            //* start promised..
-            return (0, exports.promised)(event, $ctx).then((0, exports.mxNextHandler)(this)).catch((0, exports.mxNextFailure)(event, $ctx));
-        });
-        /**
-         * builder of tools for http-headers
-         * - extracting header content, and parse.
-         */
-        this.tools = (headers) => new MyHttpHeaderTool(headers);
-        /**
-         * builder of tools without kms.
-         */
-        this.toolsV2 = (headers, reqContext) => new MyHttpHeaderToolV2(headers, reqContext);
         // _log(NS, `LambdaWEBHandler()..`);
     }
     /**
@@ -288,154 +259,202 @@ class LambdaWEBHandler extends lambda_handler_1.LambdaSubHandler {
             return M;
         }, {});
     }
+    /**
+     * Default WEB Handler.
+     */
+    handle = async (event, $ctx) => {
+        //* inspect API parameters.
+        (0, engine_1._log)(NS, `handle()....`);
+        const $path = event.pathParameters || {};
+        const $param = event.queryStringParameters || {};
+        (0, engine_1._log)(NS, '! path =', event.path);
+        (0, engine_1._log)(NS, '! $path =', engine_1.$U.json($path));
+        (0, engine_1._log)(NS, '! $param =', engine_1.$U.json($param));
+        //* start promised..
+        return (0, exports.promised)(event, $ctx).then((0, exports.mxNextHandler)(this)).catch((0, exports.mxNextFailure)(event, $ctx));
+    };
     /**
      * handle param via protocol-service.
      *
      * @param param protocol parameters
      * @param event (optional) origin event object.
      */
-    handleProtocol(param, event) {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (!param)
-                throw new Error(`@param (protocol-param) is required!`);
-            //TODO [Steve] id, cmd can (or should) be null or empty! (support for `/{cmd+}` pattern) @251212
-            const TYPE = `${param.type || ''}`;
-            const MODE = `${param.mode || 'GET'}`;
-            const ID = `${param.id || ''}`;
-            const CMD = `${param.cmd || ''}`;
-            const PATH = `${(event && event.path) || ''}`;
-            const $param = param.param;
-            const $body = param.body;
-            const context = param.context;
-            //* debug print body.
-            if (!$body) {
-                (0, engine_1._log)(NS, `#${MODE}:${CMD} (${TYPE}/${ID})....`);
-            }
-            else {
-                (0, engine_1._log)(NS, `#${MODE}:${CMD} (${TYPE}/${ID}).... body.len=`, $body ? engine_1.$U.json($body).length : -1);
+    async handleProtocol(param, event) {
+        if (!param)
+            throw new Error(`@param (protocol-param) is required!`);
+        //TODO [Steve] id, cmd can (or should) be null or empty! (support for `/{cmd+}` pattern) @251212
+        const TYPE = `${param.type || ''}`;
+        const MODE = `${param.mode || 'GET'}`;
+        const ID = `${param.id || ''}`;
+        const CMD = `${param.cmd || ''}`;
+        const PATH = `${(event && event.path) || ''}`;
+        const $param = param.param;
+        const $body = param.body;
+        const context = param.context;
+        //* debug print body.
+        if (!$body) {
+            (0, engine_1._log)(NS, `#${MODE}:${CMD} (${TYPE}/${ID})....`);
+        }
+        else {
+            (0, engine_1._log)(NS, `#${MODE}:${CMD} (${TYPE}/${ID}).... body.len=`, $body ? engine_1.$U.json($body).length : -1);
+        }
+        //* find target next function
+        // const decoder: NextDecoder | CoreWEBController = this._handlers[TYPE];
+        const next = ((decoder) => {
+            //* as default handler '/', say the current version.
+            if (MODE === 'LIST' && TYPE === '' && ID === '' && CMD === '') {
+                return async () => {
+                    const $pack = (0, tools_1.loadJsonSync)('package.json');
+                    const name = ($pack && $pack.name) || 'LEMON API';
+                    const version = ($pack && $pack.version) || '0.0.0';
+                    const modules = [`${name}/${version}`];
+                    //* shows version of `lemon-core` via `dependencies`.
+                    const coreVer = $pack && $pack.dependencies && $pack.dependencies['lemon-core'];
+                    if (coreVer)
+                        modules.push(`lemon-core/${coreVer.startsWith('^') ? coreVer.substring(1) : coreVer}`);
+                    return modules.join('\n');
+                };
             }
-            //* find target next function
-            // const decoder: NextDecoder | CoreWEBController = this._handlers[TYPE];
-            const next = ((decoder) => {
-                //* as default handler '/', say the current version.
-                if (MODE === 'LIST' && TYPE === '' && ID === '' && CMD === '') {
-                    return () => __awaiter(this, void 0, void 0, function* () {
-                        const $pack = (0, tools_1.loadJsonSync)('package.json');
-                        const name = ($pack && $pack.name) || 'LEMON API';
-                        const version = ($pack && $pack.version) || '0.0.0';
-                        const modules = [`${name}/${version}`];
-                        //* shows version of `lemon-core` via `dependencies`.
-                        const coreVer = $pack && $pack.dependencies && $pack.dependencies['lemon-core'];
-                        if (coreVer)
-                            modules.push(`lemon-core/${coreVer.startsWith('^') ? coreVer.substring(1) : coreVer}`);
-                        return modules.join('\n');
-                    });
-                }
-                //* error if no decoder.
-                if (!decoder)
-                    return null;
-                //* use decoder() to find target.
-                if (typeof decoder == 'function')
-                    return decoder(MODE, ID, CMD, PATH);
-                else if (typeof decoder == 'object') {
-                    const func = decoder.decode(MODE, ID, CMD, PATH);
-                    if (!func)
-                        return null; // avoid 'null' error.
-                    const next = (i, p, b, c) => func.call(decoder, i, p, b, c);
-                    return next;
-                }
+            //* error if no decoder.
+            if (!decoder)
                 return null;
-            })(this._handlers[TYPE]);
-            //* if no next, then report error.
-            if (!next || typeof next != 'function') {
-                (0, engine_1._err)(NS, `! WARN ! MISSING NEXT-HANDLER. event=`, engine_1.$U.json(event));
-                throw new Error(`404 NOT FOUND - ${MODE} /${TYPE}/${ID}${CMD ? `/${CMD}` : ''}`);
+            //* use decoder() to find target.
+            if (typeof decoder == 'function')
+                return decoder(MODE, ID, CMD, PATH);
+            else if (typeof decoder == 'object') {
+                const func = decoder.decode(MODE, ID, CMD, PATH);
+                if (!func)
+                    return null; // avoid 'null' error.
+                const next = (i, p, b, c) => func.call(decoder, i, p, b, c);
+                return next;
             }
-            //* call next.. (it will return result or promised)
-            return (() => {
-                try {
-                    const R = next(ID, $param, $body, context);
-                    return R instanceof Promise ? R : Promise.resolve(R);
-                }
-                catch (e) {
-                    return Promise.reject(e);
-                }
-            })();
-        });
+            return null;
+        })(this._handlers[TYPE]);
+        //* if no next, then report error.
+        if (!next || typeof next != 'function') {
+            (0, engine_1._err)(NS, `! WARN ! MISSING NEXT-HANDLER. event=`, engine_1.$U.json(event));
+            throw new Error(`404 NOT FOUND - ${MODE} /${TYPE}/${ID}${CMD ? `/${CMD}` : ''}`);
+        }
+        //* call next.. (it will return result or promised)
+        return (() => {
+            try {
+                const R = next(ID, $param, $body, context);
+                return R instanceof Promise ? R : Promise.resolve(R);
+            }
+            catch (e) {
+                return Promise.reject(e);
+            }
+        })();
     }
+    /**
+     * builder of tools for http-headers
+     * - extracting header content, and parse.
+     */
+    tools = (headers) => new MyHttpHeaderTool(headers);
     /**
      * pack the request context for Http request.
      *
      * @param event origin Event.
      * @param orgContext (optional) original lambda.Context
      */
-    packContext(event, orgContext) {
-        return __awaiter(this, void 0, void 0, function* () {
-            (0, engine_1._log)(NS, `packContext(${event ? '' : 'null'})..`);
-            if (!event)
-                return null;
-            //* prepare chain object.
-            const reqContext = event === null || event === void 0 ? void 0 : event.requestContext;
-            orgContext && (0, engine_1._log)(NS, `> orgContext =`, engine_1.$U.S(orgContext, 256, 32));
-            reqContext && (0, engine_1._log)(NS, `> reqContext =`, engine_1.$U.S(reqContext, 256, 32));
-            // STEP.1 support lambda call JWT Token authentication.
-            const headers = event.headers;
-            if (headers && headers[protocol_service_1.HEADER_PROTOCOL_CONTEXT]) {
-                //* if it is protocol request via lambda, then returns valid context.
-                const $param = protocol_1.default.service.asTransformer('web').transformToParam(event);
-                return $param === null || $param === void 0 ? void 0 : $param.context;
-            }
-            // STEP.2 use internal identity json data via python lambda call.
-            const $tool = this.toolsV2(headers, reqContext);
-            const identity = yield $tool.parseIdentityHeader();
-            const _prepare = () => {
-                const cookie = $tool.parseCookiesHeader();
-                const domain = $tool.getHeader('host');
-                const referer = $tool.getHeader('referer');
-                const origin = $tool.getHeader('origin');
-                const userAgent = $tool.getHeader('user-agent');
-                const authorization = $tool.getHeader('authorization');
-                return { identity, cookie, domain, referer, origin, userAgent, authorization };
-            };
-            // STEP.3. prepare the final `next-context`.
-            const $ctx = yield $tool.prepareContext(_prepare(), reqContext);
-            $ctx.source = protocol_1.default.service.myProtocolURI($ctx); // self service-uri as source
-            // FINIAL. returns
-            return $ctx;
-        });
+    async packContext(event, orgContext) {
+        (0, engine_1._log)(NS, `packContext(${event ? '' : 'null'})..`);
+        if (!event)
+            return null;
+        //* prepare chain object.
+        const reqContext = event?.requestContext;
+        orgContext && (0, engine_1._log)(NS, `> orgContext =`, engine_1.$U.S(orgContext, 256, 32));
+        reqContext && (0, engine_1._log)(NS, `> reqContext =`, engine_1.$U.S(reqContext, 256, 32));
+        // STEP.1 support lambda call JWT Token authentication.
+        const headers = event.headers;
+        if (headers && headers[protocol_service_1.HEADER_PROTOCOL_CONTEXT]) {
+            //* if it is protocol request via lambda, then returns valid context.
+            const $param = protocol_1.default.service.asTransformer('web').transformToParam(event);
+            return $param?.context;
+        }
+        // STEP.2 use internal identity json data via python lambda call.
+        const $tool = this.tools(headers);
+        const identity = await $tool.parseIdentityHeader();
+        const _prepare = () => {
+            const cookie = $tool.parseCookiesHeader();
+            const domain = $tool.getHeader('host');
+            const referer = $tool.getHeader('referer');
+            const origin = $tool.getHeader('origin');
+            const userAgent = $tool.getHeader('user-agent');
+            const authorization = $tool.getHeader('authorization');
+            return { identity, cookie, domain, referer, origin, userAgent, authorization };
+        };
+        // STEP.3. prepare the final `next-context`.
+        const $ctx = await $tool.prepareContext(_prepare(), reqContext);
+        $ctx.source = protocol_1.default.service.myProtocolURI($ctx); // self service-uri as source
+        // FINIAL. returns
+        return $ctx;
     }
 }
 exports.LambdaWEBHandler = LambdaWEBHandler;
-//* shared config.
-LambdaWEBHandler.REPORT_ERROR = lambda_handler_1.LambdaHandler.REPORT_ERROR;
 /**
  * class: `MyHttpHeaderTool`
  * - basic implementation of HttpHeaderTool
  */
 class MyHttpHeaderTool {
+    headers;
+    static _accountId;
+    static _accountIdPromise;
     /**
      * default constructor.
      * @param headers
      */
     constructor(headers, options) {
-        var _a;
-        /** expose `onlyDefined` */
-        this.onlyDefined = test_helper_1.onlyDefined;
-        /**
-         * check if this request is from externals (like API-GW)
-         * @returns true if in external
-         */
-        this.isExternal = () => {
-            const host = this.getHeader('host');
-            const isExternal = host ? true : false;
-            return !!isExternal;
-        };
-        const isClone = (_a = options === null || options === void 0 ? void 0 : options.isClone) !== null && _a !== void 0 ? _a : true;
-        this.headers = isClone ? Object.assign({}, headers) : headers;
+        const isClone = options?.isClone ?? true;
+        this.headers = isClone ? { ...headers } : headers;
     }
     hello() {
         return 'header-tool-by-default';
     }
+    /** expose `onlyDefined` */
+    onlyDefined = test_helper_1.onlyDefined;
+    /**
+     * build default JWT secret from AWS account id + magic key.
+     */
+    buildJwtSecret = async () => {
+        const accountId = await this.getAccountId();
+        const secret = JWT_MAGIC_KEY; // 유출되면 피곤함.
+        const _hmac = (msg, key = secret) => engine_1.$U.hmac(msg, key, 'sha256', 'base64'); // 기본 로직
+        return _hmac(_hmac(accountId, _hmac(JWT_SIGN_KEY)), JWT_SIGN_KEY);
+    };
+    /**
+     * get current aws account-id via STS. (once)
+     */
+    getAccountId = async () => {
+        if (MyHttpHeaderTool._accountId)
+            return MyHttpHeaderTool._accountId;
+        if (!MyHttpHeaderTool._accountIdPromise) {
+            MyHttpHeaderTool._accountIdPromise = (async () => {
+                // 1. getHelloArn()에서 ARN을 통해 accountId 추출 시도
+                try {
+                    const arn = (0, engine_1.getHelloArn)(null, NS);
+                    if (arn && arn.startsWith('arn:aws:')) {
+                        const accountId = arn.split(':')[4];
+                        if (accountId)
+                            return accountId;
+                    }
+                }
+                catch (e) {
+                    (0, engine_1._log)(NS, '! getHelloArn failed, fallback to STS');
+                }
+                // 2. fallback: STS 호출 (awsConfig 사용)
+                const cfg = (0, tools_1.awsConfig)(engine_1.$engine);
+                const sts = new client_sts_1.STSClient(cfg);
+                const data = await sts.send(new client_sts_1.GetCallerIdentityCommand({}));
+                return data?.Account || '000000000000';
+            })().catch(err => {
+                (0, engine_1._err)(NS, '! err@jwt.accountId =', err);
+                return '000000000000';
+            });
+        }
+        MyHttpHeaderTool._accountId = await MyHttpHeaderTool._accountIdPromise;
+        return MyHttpHeaderTool._accountId;
+    };
     /**
      * get values by name
      * @param name case-insentive name of field
@@ -470,6 +489,15 @@ class MyHttpHeaderTool {
         const vals = this.getHeaders(name);
         return vals.length < 1 ? undefined : vals[vals.length - 1];
     }
+    /**
+     * check if this request is from externals (like API-GW)
+     * @returns true if in external
+     */
+    isExternal = () => {
+        const host = this.getHeader('host');
+        const isExternal = host ? true : false;
+        return !!isExternal;
+    };
     /**
      * parse of header[`x-lemon-identity`] to get the instance of `NextIdentity`
      * - lambda 호출의 2가지 방법이 있음 (interval vs external)
@@ -484,48 +512,43 @@ class MyHttpHeaderTool {
      * - support ONLY JWT Token authentication (verification).
      * - iat
      */
-    parseIdentityHeader(name = HEADER_LEMON_IDENTITY) {
-        var _a;
-        return __awaiter(this, void 0, void 0, function* () {
-            //* internal means `request from internal services`
-            const isInternal = !this.isExternal();
-            const val = this.getHeader(name);
-            let result = val ? { meta: val } : {};
-            try {
-                if (!val) {
-                    //NOP
-                }
-                else if (isInternal && val.startsWith('{') && val.endsWith('}')) {
-                    result = yield this.parseIdentityJson(val);
-                }
-                else if (typeof val === 'string' && val.split('.').length === 3) {
-                    result = yield this.parseIdentityJWT(val);
-                }
+    async parseIdentityHeader(name = HEADER_LEMON_IDENTITY) {
+        //* internal means `request from internal services`
+        const isInternal = !this.isExternal();
+        const val = this.getHeader(name);
+        let result = val ? { meta: val } : {};
+        try {
+            if (!val) {
+                //NOP
             }
-            catch (e) {
-                (0, engine_1._err)(NS, '!WARN! parse.err =', e);
-                (0, engine_1._err)(NS, '!WARN! identity =', val);
-                result.error = (0, test_helper_1.GETERR)(e);
+            else if (isInternal && val.startsWith('{') && val.endsWith('}')) {
+                result = await this.parseIdentityJson(val);
             }
-            //* overwrite finally language selection.
-            const lang = (_a = this.parseLanguageHeader()) !== null && _a !== void 0 ? _a : result === null || result === void 0 ? void 0 : result.lang;
-            return Object.assign(Object.assign({}, result), { lang });
-        });
+            else if (typeof val === 'string' && val.split('.').length === 3) {
+                result = await this.parseIdentityJWT(val);
+            }
+        }
+        catch (e) {
+            (0, engine_1._err)(NS, '!WARN! parse.err =', e);
+            (0, engine_1._err)(NS, '!WARN! identity =', val);
+            result.error = (0, test_helper_1.GETERR)(e);
+        }
+        //* overwrite finally language selection.
+        const lang = this.parseLanguageHeader() ?? result?.lang;
+        return { ...result, lang };
     }
     /**
      * parse as identity from json encoded text.
      */
-    parseIdentityJson(val) {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (typeof val !== 'string')
-                throw new Error(`@val[${val}] is invalid - not string!`);
-            //* (ONLY for internal) parse payload as `json`
-            const data = JSON.parse(val);
-            // if (typeof data?.ns !== 'string') throw new Error(`.ns[${data?.ns}] is required - IdentityHeader`);
-            if (typeof (data === null || data === void 0 ? void 0 : data.sid) !== 'string' || !(data === null || data === void 0 ? void 0 : data.sid))
-                throw new Error(`.sid[${data === null || data === void 0 ? void 0 : data.sid}] is required - IdentityHeader`);
-            return data;
-        });
+    async parseIdentityJson(val) {
+        if (typeof val !== 'string')
+            throw new Error(`@val[${val}] is invalid - not string!`);
+        //* (ONLY for internal) parse payload as `json`
+        const data = JSON.parse(val);
+        // if (typeof data?.ns !== 'string') throw new Error(`.ns[${data?.ns}] is required - IdentityHeader`);
+        if (typeof data?.sid !== 'string' || !data?.sid)
+            throw new Error(`.sid[${data?.sid}] is required - IdentityHeader`);
+        return data;
     }
     /**
      * find(or make) the proper KMSService per key
@@ -542,87 +565,85 @@ class MyHttpHeaderTool {
     /**
      * encode as JWT string.
      */
-    encodeIdentityJWT(identity, params) {
-        var _a;
-        return __awaiter(this, void 0, void 0, function* () {
-            // STEP.0 validate paramters.
-            if (!identity || typeof identity !== 'object')
-                throw new Error(`@identity (object) is required - but ${typeof identity}`);
-            // STEP.1 prepare payload data
-            const current = (_a = params === null || params === void 0 ? void 0 : params.current) !== null && _a !== void 0 ? _a : engine_1.$U.current_time_ms();
-            const alias = params === null || params === void 0 ? void 0 : params.alias;
-            const payload = Object.assign(Object.assign({}, identity), { iss: alias ? `kms/${alias}` : null, iat: Math.floor(current / 1000), exp: Math.floor(current / 1000) + 24 * 60 * 60 });
-            const base64url = (t) => (0, aws_kms_service_1.fromBase64)(Buffer.from(t).toString('base64'));
-            const data = {
-                header: base64url(JSON.stringify({
-                    alg: 'RS256',
-                    typ: 'JWT',
-                })),
-                payload: base64url(JSON.stringify(payload)),
-            };
-            // STEP.2 encode and calc signature.
-            const message = [data.header, data.payload].join('.');
-            const $kms = alias ? this.findKMSService(`alias/${alias}`) : null;
-            const signature = $kms ? yield $kms.sign(message, true) : '';
-            const token = [message, signature].join('.');
-            return { signature, message, token };
-        });
+    async encodeIdentityJWT(identity, params) {
+        // STEP.0 validate paramters.
+        if (!identity || typeof identity !== 'object')
+            throw new Error(`@identity (object) is required - but ${typeof identity}`);
+        // STEP.1 prepare payload data
+        const current = params?.current ?? engine_1.$U.current_time_ms();
+        const alias = params?.alias;
+        const useHs256 = params?.useHs256 ?? false;
+        const service = config_1.default?.config?.getService?.();
+        // service 검증 (useHs256 + alias 없을 때만)
+        if (useHs256 && !alias && service && !/^[a-z][a-zA-Z0-9-]*$/.test(service)) {
+            throw new Error(`@service[${service}] is invalid - encodeIdentityJWT()`);
+        }
+        // issuer 결정
+        const iss = alias ? `kms/${alias}` : useHs256 ? `api/${service}` : null;
+        // alg 헤더 결정
+        const alg = alias ? 'RS256' : useHs256 ? 'HS256' : 'RS256';
+        const payload = {
+            ...identity,
+            iss, //* issuer name.
+            iat: Math.floor(current / 1000), //* issued at
+            exp: params?.exp ?? Math.floor(current / 1000) + 24 * 60 * 60, //* max 1 day.
+        };
+        const base64url = (t) => (0, aws_kms_service_1.fromBase64)(Buffer.from(t).toString('base64'));
+        const data = {
+            header: base64url(JSON.stringify({ alg, typ: 'JWT' })),
+            payload: base64url(JSON.stringify(payload)),
+        };
+        // STEP.2 encode and calc signature.
+        const message = [data.header, data.payload].join('.');
+        const signature = alias || useHs256 ? await this.signToken(alias, message) : '';
+        const token = [message, signature].join('.');
+        return { signature, message, token };
     }
     /**
      * parse as jwt-token, and validate the signature.
+     * - supports both `kms/*` and `api/*` issuers via verifyToken()
      */
-    parseIdentityJWT(token, params) {
-        var _a, _b;
-        return __awaiter(this, void 0, void 0, function* () {
-            const isVerify = (_a = params === null || params === void 0 ? void 0 : params.verify) !== null && _a !== void 0 ? _a : true;
-            const errScope = `verifyJWT(http)`;
-            //* it must be JWT Token. verify signature, and load.
-            if (typeof token !== 'string' || !token)
-                throw new Error(`@token (string) is required (but ${typeof token}) - ${errScope}`);
-            // STEP.1 decode jwt, and extract { iss, iat, exp }
-            const current = (_b = params === null || params === void 0 ? void 0 : params.current) !== null && _b !== void 0 ? _b : engine_1.$U.current_time_ms();
-            const sections = token.split('.');
-            if (sections.length !== 3)
-                throw new Error(`@token[${token}] is invalid (format) - ${errScope}`);
-            const [header, payload, signature] = sections;
-            const $jwt = engine_1.$U.jwt();
-            const data = $jwt.decode(token, { complete: false, json: true });
-            if (!data)
-                throw new Error(`@token[${token}] is invalid (failed to decode) - ${errScope}`);
-            const { iss, iat, exp } = data;
-            // STEP.1-1 validate parameters.
-            if (typeof iss !== 'string' && iss !== null)
-                throw new Error(`.iss (string) is required - ${errScope}`);
-            if (typeof iat !== 'number' && iat !== null)
-                throw new Error(`.iat (number) is required - ${errScope}`);
-            if (typeof exp !== 'number' && exp !== null)
-                throw new Error(`.exp (number) is required - ${errScope}`);
-            // STEP.2 validate signature by KMS(iss).verify()
-            //TODO - iss 에 인증제공자의 api 넣기 (ex: api/lemon-backend-dev?)
-            const _alias = (iss, prefix = 'kms/') => iss.includes(',') ? iss.substring(prefix.length, iss.indexOf(',')) : iss.substring(prefix.length);
-            if (!isVerify) {
-                return data;
-            }
-            else if (typeof iss === 'string' && iss.startsWith('kms/')) {
-                const alias = _alias(iss);
-                const $kms = alias ? this.findKMSService(`alias/${alias}`) : null;
-                const message = [header, payload].join('.');
-                const verified = $kms
-                    ? yield $kms.verify(message, signature, { throwable: true }).catch(e => {
-                        throw new Error(`@signature[] is invalid (kms: ${(0, test_helper_1.GETERR)(e)}) - ${errScope}`);
-                    })
-                    : false;
-                if (!verified)
-                    throw new Error(`@signature[] is invalid (failed to verify by iss:${iss}) - ${errScope}`);
-                if (!exp)
-                    throw new Error(`.exp[${exp}] is invalid (empty) - ${errScope}`);
-                if (exp * 1000 < current)
-                    throw new Error(`.exp[${engine_1.$U.ts(exp * 1000)}] is invalid (expired) - ${errScope}`);
-                return data;
-            }
-            //* or throw
-            throw new Error(`@iss[${iss}] is invalid (unsupportable issuer) - ${errScope}`);
+    async parseIdentityJWT(token, params) {
+        const isVerify = params?.verify ?? true;
+        const errScope = `verifyJWT(http)`;
+        //* it must be JWT Token. verify signature, and load.
+        if (typeof token !== 'string' || !token)
+            throw new Error(`@token (string) is required (but ${typeof token}) - ${errScope}`);
+        const sections = token.split('.');
+        if (sections.length !== 3)
+            throw new Error(`@token[${token}] is invalid (format) - ${errScope}`);
+        // STEP.1 decode jwt, and extract { iss, iat, exp }
+        const current = params?.current ?? engine_1.$U.current_time_ms();
+        const [header, payload, signature] = sections;
+        const message = [header, payload].join('.');
+        const data = engine_1.$U.jwt().decode(token, { complete: false, json: true });
+        if (!data)
+            throw new Error(`@token[${token}] is invalid (failed to decode) - ${errScope}`);
+        const { iss, iat, exp } = data;
+        // STEP.1-1 validate parameters.
+        if (typeof iss !== 'string' && iss !== null)
+            throw new Error(`.iss (string) is required - ${errScope}`);
+        if (typeof iat !== 'number' && iat !== null)
+            throw new Error(`.iat (number) is required - ${errScope}`);
+        if (typeof exp !== 'number' && exp !== null)
+            throw new Error(`.exp (number) is required - ${errScope}`);
+        //* skip verification if not required
+        if (!isVerify)
+            return data;
+        // STEP.2 verify signature by iss (supports kms/* and api/*)
+        const verified = await this.verifyToken(iss, message, signature, { token }).catch(e => {
+            throw new Error(`@signature[] is invalid (${(0, test_helper_1.GETERR)(e)}) - ${errScope}`);
         });
+        if (!verified?.valid) {
+            const errMsg = verified?.error || `failed to verify by ${iss}`;
+            throw new Error(`@signature[] is invalid (${errMsg}) - ${errScope}`);
+        }
+        // STEP.3 validate expiration
+        if (!exp)
+            throw new Error(`.exp[${exp}] is invalid (empty) - ${errScope}`);
+        if (exp * 1000 < current)
+            throw new Error(`.exp[${engine_1.$U.ts(exp * 1000)}] is invalid (expired) - ${errScope}`);
+        return data;
     }
     /**
      * parse of header[HEADER_LEMON_LANGUAGE] to get language-type.
@@ -650,202 +671,93 @@ class MyHttpHeaderTool {
     /**
      * override with AWS request-context
      */
-    prepareContext($org, reqContext) {
-        var _a, _b, _c, _d;
-        return __awaiter(this, void 0, void 0, function* () {
-            const errScope = `web.prepareContext(${(_a = $org === null || $org === void 0 ? void 0 : $org.requestId) !== null && _a !== void 0 ? _a : ''})`;
-            // STEP.4 override w/ cognito authentication to NextIdentity.
-            if (((_b = reqContext === null || reqContext === void 0 ? void 0 : reqContext.identity) === null || _b === void 0 ? void 0 : _b.cognitoIdentityPoolId) !== undefined) {
-                const $idt = $org === null || $org === void 0 ? void 0 : $org.identity;
-                if (!$idt)
-                    throw new Error(`.identity (NextIdentity) is required - ${errScope}`);
-                const $req = reqContext.identity;
-                (0, engine_1._inf)(NS, '! identity(req) :=', engine_1.$U.json($req));
-                $idt.identityProvider = $req.cognitoAuthenticationProvider; // provider string.
-                $idt.identityPoolId = $req.cognitoIdentityPoolId; // identity-pool-id like 'ap-northeast-2:618ce9d2-3ad6-49df-b3b3-e248ea51425e'
-                $idt.identityId = $req.cognitoIdentityId; // identity-id like 'ap-northeast-2:dbd95fb4-7423-48b8-8a04-56e5bc95e444'
-                $idt.accountId = $req.accountId; // account-id should be same as context.accountId
-                $idt.userAgent = $req.userAgent; // user-agent string.
-                if (typeof $req.caller == 'string')
-                    $idt.caller = $req.caller;
-                if (typeof $req.accessKey == 'string')
-                    $idt.accessKey = $req.accessKey;
-                if (typeof $req.apiKey == 'string')
-                    $idt.apiKey = $req.apiKey;
-                (0, engine_1._inf)(NS, '! identity(new) :=', engine_1.$U.json(Object.assign({}, $idt)));
-            }
-            // STEP.5 extract additional request infor from req-context.
-            const clientIp = `${((_c = reqContext === null || reqContext === void 0 ? void 0 : reqContext.identity) === null || _c === void 0 ? void 0 : _c.sourceIp) || ($org === null || $org === void 0 ? void 0 : $org.clientIp) || ''}`;
-            const userAgent = `${((_d = reqContext === null || reqContext === void 0 ? void 0 : reqContext.identity) === null || _d === void 0 ? void 0 : _d.userAgent) || ($org === null || $org === void 0 ? void 0 : $org.userAgent) || ''}`;
-            const requestId = `${(reqContext === null || reqContext === void 0 ? void 0 : reqContext.requestId) || ($org === null || $org === void 0 ? void 0 : $org.requestId) || ''}`;
-            const accountId = `${(reqContext === null || reqContext === void 0 ? void 0 : reqContext.accountId) || ($org === null || $org === void 0 ? void 0 : $org.accountId) || ''}`;
-            const domain = `${(reqContext === null || reqContext === void 0 ? void 0 : reqContext.domainName) || ($org === null || $org === void 0 ? void 0 : $org.domain) || ''}`; //* chore avoid null of headers
-            //* save into headers and returns.
-            const context = Object.assign(Object.assign({}, $org), { userAgent, clientIp, requestId, accountId, domain });
-            return context;
-        });
-    }
-}
-exports.MyHttpHeaderTool = MyHttpHeaderTool;
-class MyHttpHeaderToolV2 extends MyHttpHeaderTool {
-    constructor(headers, reqContext) {
-        super(headers);
-        /**
-         * build default JWT secret from AWS account id + magic key.
-         */
-        this.buildJwtSecret = () => {
-            var _a, _b;
-            const accountId = (_b = (_a = this.reqContext) === null || _a === void 0 ? void 0 : _a.accountId) !== null && _b !== void 0 ? _b : '000000000000';
-            const secret = JWT_MAGIC_KEY; // 유출되면 피곤함.
-            const _hmac = (msg, key = secret) => engine_1.$U.hmac(msg, key, 'sha256', 'base64'); // 기본 로직
-            return _hmac(_hmac(accountId, _hmac(JWT_SIGN_KEY)), JWT_SIGN_KEY);
-        };
-        this.reqContext = reqContext;
-    }
-    hello() {
-        return 'header-tool-v2';
-    }
-    /**
-     * encode as JWT string.
-     */
-    encodeIdentityJWT(identity, params) {
-        var _a, _b, _c, _d;
-        return __awaiter(this, void 0, void 0, function* () {
-            // STEP.0 validate paramters.
-            if (!identity || typeof identity !== 'object')
-                throw new Error(`@identity (object) is required - but ${typeof identity}`);
-            // STEP.1 prepare payload data
-            const current = (_a = params === null || params === void 0 ? void 0 : params.current) !== null && _a !== void 0 ? _a : engine_1.$U.current_time_ms();
-            const alias = params === null || params === void 0 ? void 0 : params.alias;
-            const useKms = !!(params === null || params === void 0 ? void 0 : params.alias);
-            const service = (_c = (_b = config_1.default === null || config_1.default === void 0 ? void 0 : config_1.default.config) === null || _b === void 0 ? void 0 : _b.getService) === null || _c === void 0 ? void 0 : _c.call(_b);
-            // validate service format
-            if (!useKms && service && !/^[a-z][a-zA-Z0-9-]*$/.test(service)) {
-                throw new Error(`@service[${service}] is invalid - encodeIdentityJWT()`);
-            }
-            const payload = Object.assign(Object.assign({}, identity), { iss: useKms ? `kms/${alias}` : `api/${service}`, iat: Math.floor(current / 1000), exp: (_d = params === null || params === void 0 ? void 0 : params.exp) !== null && _d !== void 0 ? _d : Math.floor(current / 1000) + 24 * 60 * 60 });
-            const base64url = (t) => (0, aws_kms_service_1.fromBase64)(Buffer.from(t).toString('base64'));
-            const alg = useKms ? 'RS256' : 'HS256';
-            const data = {
-                header: base64url(JSON.stringify({
-                    alg,
-                    typ: 'JWT',
-                })),
-                payload: base64url(JSON.stringify(payload)),
-            };
-            // STEP.2 encode and calc signature.
-            const message = [data.header, data.payload].join('.');
-            const signature = yield this.signToken(alias, message);
-            const token = [message, signature].join('.');
-            return { signature, message, token };
-        });
-    }
-    /**
-     * parse as jwt-token, and validate the signature.
-     */
-    parseIdentityJWT(token, params) {
-        var _a, _b;
-        return __awaiter(this, void 0, void 0, function* () {
-            const isVerify = (_a = params === null || params === void 0 ? void 0 : params.verify) !== null && _a !== void 0 ? _a : true;
-            const errScope = `verifyJWT(http)`;
-            //* it must be JWT Token. verify signature, and load.
-            if (typeof token !== 'string' || !token)
-                throw new Error(`@token (string) is required (but ${typeof token}) - ${errScope}`);
-            const sections = token.split('.');
-            if (sections.length !== 3)
-                throw new Error(`@token[${token}] is invalid (format) - ${errScope}`);
-            // STEP.1 decode jwt, and extract { iss, iat, exp }
-            const current = (_b = params === null || params === void 0 ? void 0 : params.current) !== null && _b !== void 0 ? _b : engine_1.$U.current_time_ms();
-            const [header, payload, signature] = sections;
-            const message = [header, payload].join('.');
-            const data = engine_1.$U.jwt().decode(token, { complete: false, json: true });
-            if (!data)
-                throw new Error(`@token[${token}] is invalid (failed to decode) - ${errScope}`);
-            const { iss, iat, exp } = data;
-            // STEP.1-1 validate parameters.
-            if (typeof iss !== 'string' && iss !== null)
-                throw new Error(`.iss (string) is required - ${errScope}`);
-            if (typeof iat !== 'number' && iat !== null)
-                throw new Error(`.iat (number) is required - ${errScope}`);
-            if (typeof exp !== 'number' && exp !== null)
-                throw new Error(`.exp (number) is required - ${errScope}`);
-            //* skip verification if not required
-            if (!isVerify)
-                return data;
-            // STEP.2 verify signature by iss
-            const verified = yield this.verifyToken(iss, message, signature, { token }).catch(e => {
-                throw new Error(`@signature[] is invalid (${(0, test_helper_1.GETERR)(e)}) - ${errScope}`);
-            });
-            if (!(verified === null || verified === void 0 ? void 0 : verified.valid)) {
-                const errMsg = (verified === null || verified === void 0 ? void 0 : verified.error) || `failed to verify by ${iss}`;
-                throw new Error(`@signature[] is invalid (${errMsg}) - ${errScope}`);
-            }
-            // STEP.3 validate expiration
-            if (!exp)
-                throw new Error(`.exp[${exp}] is invalid (empty) - ${errScope}`);
-            if (exp * 1000 < current)
-                throw new Error(`.exp[${engine_1.$U.ts(exp * 1000)}] is invalid (expired) - ${errScope}`);
-            return data;
-        });
+    async prepareContext($org, reqContext) {
+        const errScope = `web.prepareContext(${$org?.requestId ?? ''})`;
+        // STEP.4 override w/ cognito authentication to NextIdentity.
+        if (reqContext?.identity?.cognitoIdentityPoolId !== undefined) {
+            const $idt = $org?.identity;
+            if (!$idt)
+                throw new Error(`.identity (NextIdentity) is required - ${errScope}`);
+            const $req = reqContext.identity;
+            (0, engine_1._inf)(NS, '! identity(req) :=', engine_1.$U.json($req));
+            $idt.identityProvider = $req.cognitoAuthenticationProvider; // provider string.
+            $idt.identityPoolId = $req.cognitoIdentityPoolId; // identity-pool-id like 'ap-northeast-2:618ce9d2-3ad6-49df-b3b3-e248ea51425e'
+            $idt.identityId = $req.cognitoIdentityId; // identity-id like 'ap-northeast-2:dbd95fb4-7423-48b8-8a04-56e5bc95e444'
+            $idt.accountId = $req.accountId; // account-id should be same as context.accountId
+            $idt.userAgent = $req.userAgent; // user-agent string.
+            if (typeof $req.caller == 'string')
+                $idt.caller = $req.caller;
+            if (typeof $req.accessKey == 'string')
+                $idt.accessKey = $req.accessKey;
+            if (typeof $req.apiKey == 'string')
+                $idt.apiKey = $req.apiKey;
+            (0, engine_1._inf)(NS, '! identity(new) :=', engine_1.$U.json({ ...$idt }));
+        }
+        // STEP.5 extract additional request infor from req-context.
+        const clientIp = `${reqContext?.identity?.sourceIp || $org?.clientIp || ''}`;
+        const userAgent = `${reqContext?.identity?.userAgent || $org?.userAgent || ''}`;
+        const requestId = `${reqContext?.requestId || $org?.requestId || ''}`;
+        const accountId = `${reqContext?.accountId || $org?.accountId || ''}`;
+        const domain = `${reqContext?.domainName || $org?.domain || ''}`; //* chore avoid null of headers
+        //* save into headers and returns.
+        const context = { ...$org, userAgent, clientIp, requestId, accountId, domain };
+        return context;
     }
     /**
      * verify token signature by iss.
      * - `kms/*`: verify by KMS (RS256)
      * - `api/*`: verify by HS256 (local) or protocol (remote)
      */
-    verifyToken(iss, message, signature, options) {
-        var _a, _b, _c;
-        return __awaiter(this, void 0, void 0, function* () {
-            const errScope = `verifyToken(${iss !== null && iss !== void 0 ? iss : ''})`;
-            const _alias = (iss, prefix) => {
-                const value = iss.substring(prefix.length);
-                return value.includes(',') ? value.substring(0, value.indexOf(',')) : value;
-            };
-            try {
-                // KMS verification (RS256) - iss starts with 'kms/'
-                if (typeof iss === 'string' && iss.startsWith('kms/')) {
-                    const alias = _alias(iss, 'kms/');
-                    if (!alias)
-                        throw new Error(`@alias (string) is required - ${errScope}`);
-                    const $kms = this.findKMSService(`alias/${alias}`);
-                    const valid = yield $kms.verify(message, signature, { throwable: true });
-                    return { valid };
+    async verifyToken(iss, message, signature, options) {
+        const errScope = `verifyToken(${iss ?? ''})`;
+        const _alias = (iss, prefix) => {
+            const value = iss.substring(prefix.length);
+            return value.includes(',') ? value.substring(0, value.indexOf(',')) : value;
+        };
+        try {
+            // KMS verification (RS256) - iss starts with 'kms/'
+            if (typeof iss === 'string' && iss.startsWith('kms/')) {
+                const alias = _alias(iss, 'kms/');
+                if (!alias)
+                    throw new Error(`@alias (string) is required - ${errScope}`);
+                const $kms = this.findKMSService(`alias/${alias}`);
+                const valid = await $kms.verify(message, signature, { throwable: true });
+                return { valid };
+            }
+            // API verification - iss starts with 'api/'
+            if (typeof iss === 'string' && iss.startsWith('api/')) {
+                const issuer = iss.substring(4);
+                // validate issuer format
+                if (!/^[a-z][a-zA-Z0-9-]*$/.test(issuer)) {
+                    throw new Error(`@issuer[${issuer}] is invalid - ${errScope}`);
                 }
-                // API verification - iss starts with 'api/'
-                if (typeof iss === 'string' && iss.startsWith('api/')) {
-                    const issuer = iss.substring(4);
-                    // validate issuer format
-                    if (!/^[a-z][a-zA-Z0-9-]*$/.test(issuer)) {
-                        throw new Error(`@issuer[${issuer}] is invalid - ${errScope}`);
-                    }
-                    const currentService = (_b = (_a = config_1.default === null || config_1.default === void 0 ? void 0 : config_1.default.config) === null || _a === void 0 ? void 0 : _a.getService) === null || _b === void 0 ? void 0 : _b.call(_a);
-                    // verify if issued by current service
-                    if (issuer === currentService) {
-                        const secret = this.buildJwtSecret();
-                        const expected = (0, aws_kms_service_1.fromBase64)(engine_1.$U.hmac(message, secret, 'sha256', 'base64'));
-                        const valid = expected === signature;
-                        return { valid };
-                    }
-                    // verify via protocol
-                    const token = (_c = options === null || options === void 0 ? void 0 : options.token) !== null && _c !== void 0 ? _c : `${message}.${signature}`;
-                    const body = { token };
-                    const payload = {
-                        service: issuer,
-                        type: 'oauth',
-                        mode: 'POST',
-                        id: 'verify-token',
-                        body,
-                        context: {},
-                    };
-                    const res = yield protocol_1.default.service.execute(payload);
-                    return res;
+                const currentService = config_1.default?.config?.getService?.();
+                // verify if issued by current service
+                if (issuer === currentService) {
+                    const secret = await this.buildJwtSecret();
+                    const expected = (0, aws_kms_service_1.fromBase64)(engine_1.$U.hmac(message, secret, 'sha256', 'base64'));
+                    const valid = expected === signature;
+                    return { valid };
                 }
-                throw new Error(`@iss[${iss}] is invalid (unsupportable issuer) - ${errScope}`);
-            }
-            catch (e) {
-                return { valid: false, error: (0, test_helper_1.GETERR)(e) };
+                // verify via protocol
+                const token = options?.token ?? `${message}.${signature}`;
+                const body = { token };
+                const payload = {
+                    service: issuer,
+                    type: 'oauth',
+                    mode: 'POST',
+                    id: 'verify-token',
+                    body,
+                    context: {},
+                };
+                const res = await protocol_1.default.service.execute(payload);
+                return res;
             }
-        });
+            throw new Error(`@iss[${iss}] is invalid (unsupportable issuer) - ${errScope}`);
+        }
+        catch (e) {
+            return { valid: false, error: (0, test_helper_1.GETERR)(e) };
+        }
     }
     /**
      * sign the message w/ alias
@@ -854,30 +766,28 @@ class MyHttpHeaderToolV2 extends MyHttpHeaderTool {
      * @param alias kms key alias
      * @param message the jwt message string
      */
-    signToken(alias, message) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const errScope = `signToken(${alias !== null && alias !== void 0 ? alias : ''})`;
-            if (!message)
-                throw new Error(`@message (string) is required - ${errScope}`);
-            const useKms = !!alias;
-            if (useKms) {
-                // KMS verification (RS256)
-                if (!alias)
-                    return '';
-                const $kms = new aws_kms_service_1.AWSKMSService(`alias/${alias}`);
-                const signature = yield $kms.sign(message, true);
-                (0, engine_1._inf)(NS, `> signature[${alias}] with KMS =`, signature);
-                return signature;
-            }
-            else {
-                // HS256: sign directly with secret
-                const secret = this.buildJwtSecret();
-                const signature = (0, aws_kms_service_1.fromBase64)(engine_1.$U.hmac(message, secret, 'sha256', 'base64'));
-                (0, engine_1._inf)(NS, `> signature[${alias}] with HS256 =`, signature);
-                return signature;
-            }
-        });
+    async signToken(alias, message) {
+        const errScope = `signToken(${alias ?? ''})`;
+        if (!message)
+            throw new Error(`@message (string) is required - ${errScope}`);
+        const useKms = !!alias;
+        if (useKms) {
+            // KMS verification (RS256)
+            if (!alias)
+                return '';
+            const $kms = new aws_kms_service_1.AWSKMSService(`alias/${alias}`);
+            const signature = await $kms.sign(message, true);
+            (0, engine_1._inf)(NS, `> signature[${alias}] with KMS =`, signature);
+            return signature;
+        }
+        else {
+            // HS256: sign directly with secret
+            const secret = await this.buildJwtSecret();
+            const signature = (0, aws_kms_service_1.fromBase64)(engine_1.$U.hmac(message, secret, 'sha256', 'base64'));
+            (0, engine_1._inf)(NS, `> signature[${alias}] with HS256 =`, signature);
+            return signature;
+        }
     }
 }
-exports.MyHttpHeaderToolV2 = MyHttpHeaderToolV2;
+exports.MyHttpHeaderTool = MyHttpHeaderTool;
 //# sourceMappingURL=lambda-web-handler.js.map